Around the current log4shell situation i need a way to find out if i have vulnerable classes in my packaged products.
What is the easiest way to find if the following classes are contained in jar files packaged in EAR or WAR files?
JndiLookup.class
JMSAppenderBase.class
JMSAppender.class
One solution would be the following bat script:
#echo off
echo extraction step 1
"C:\Program Files\7-Zip\7z.exe" e -r -aos -bd -otmp *
echo creating filelist
"C:\Program Files\7-Zip\7z.exe" l -r -aos -bd tmp/* >filelist.txt
echo cleanup
rmdir /s /q tmp
echo analysis result:
find "JndiLookup.class" filelist.txt
find "JMSAppenderBase.class" filelist.txt
find "JMSAppender.class" filelist.txt
pause
Related
The jdeprscan tool determines lists all deprecated and non-existing dependencies. It can run on classes, directories and on a JAR.
But how to run it on an EAR ?
Inspired by https://stackoverflow.com/a/57217414/698168, I explode the EAR into JARs using the following script (Windows) :
rem remove previous run
rd /s /q ear
rem extract the EAR
"C:\Program Files\7-Zip\7z" x -oear *.ear
rem extract the WAR
cd ear
"C:\Program Files\7-Zip\7z" x -owar *.war
rem unify JAR from EAR and WAR
copy war\WEB-INF\lib\*.jar lib
rem make JAR with the classes
cd war\WEB-INF\classes
rem "C:\Program Files\7-Zip\7z" a -r my-app.jar
"C:\Program Files\Java\jdk-11\bin\jar" cvf my-app.jar -C . .
rem Note: using 7zip to create the JAR may lead to errors when running jdeprscan, thus we are using the jar command
copy my-app.jar ..\..\..
rem return to origin
cd ..\..\..
rem unpack all libraries...
cd lib
"C:\Program Files\7-Zip\7z" x -aoa -oclasses *.jar
rem .. and repack them as a fat JAR
cd classes
rem "C:\Program Files\7-Zip\7z" a -r 00lib.jar
"C:\Program Files\Java\jdk-11\bin\jar" cvf 00lib.jar -C . .
rem duplicate the fat JAR and make some cleaning
copy 00lib.jar ..\00lib.jar
copy 00lib.jar ..\01lib.jar
cd ..
rd /s /q classes
rem return to origin
cd ..\..
Note that this script does not use the librairies from the JEE Server (i.e. all the Maven librairies with scope "provided" will be reported as error: cannot find class by jdeprscan).
Then I generate a jdeprscan report using the following command :
"C:\Program Files\Java\jdk-11\bin\jdeprscan" --for-removal --verbose --class-path ear\lib\*.jar ear\my-app.jar > deprscan.log 2>&1
You can then inspect the jdeprscan.log file. The classes that are not found may not exist in the newest Java version (such as 11) or may be present in the JEE modules. A missing class looks like the following (BASE64Encoder is not provided anymore by Java 11 but is used by ChecksumHelper):
Processing class oracle/spatial/security/ChecksumHelper...
error: cannot find class sun/misc/BASE64Encoder
In the best case, you can find the JAR name above in the log file (e.g. Jar file my-lib-2.3.4.jar), otherwise you will need to determine the library from the class name.
Note: all the above was designed with the idea to migrate Java 8 to Java 11.
I've used an older version of Google's Java to Objective-C (J2ObjC) converter previously (i.e. version 0.5.2) and it was straightforward to translate an entire folder of Java files to their equivalent Objective-C files (and to preserve the directory structure in doing so). I just had to run the following shell executable:
$ ./run.sh —-preservedirs <path to input folder>
I've just downloaded the latest version of J2ObjC (i.e. version 0.9.1) and it's not clear from the Getting Started page or elsewhere how I can translate an entire folder of Java files rather than just a single Java file using the j2obc executable. The only example provided in the Getting Started page is to translate a single Java file which has no dependencies or imports elsewhere as follows:
$ ./j2objc Hello.java
Can anyone provide me with an example of how to translate an entire package assuming I have a folder named input which contains my com package which contains all of the sub-packages and Java files that I want to translate?
To build a whole project, I add the source root(s) to the -sourcepath, then use the find command to locate all Java sources. For example, to build Square.com's Dagger library:
$ export J2OBJC=~/j2objc # change to wherever your distribution is
$ cd ~/src/dagger/core
$ $J2OBJC/j2objc -d build_output -sourcepath src/main/java \
-classpath $J2OBJC/lib/javax-inject.jar \
`find src/main/java -name '*.java'`
All the generated .h and .m files are now in the build_output directory, in subdirectories according to their package (like javac does). To compile all the .m files into a static library, I use:
$ cd build_output
$ j2objcc -c -I. `find . -name '*.m'`
$ libtool -static -o libdagger.a *.o
If there is no better way built into run.sh, you could use find's -exec flag:
find <path to input folder> -type f -exec --preservedirs ./run.sh {} \;
Or, you could use xargs to do multiple files at the same type:
find <path to input folder> -type f | xargs ./run.sh --preservedirs
(You might also need to add -name "*.java" to the find arguments if there are non-Java files in your directories).
I have 2 files, "launcher.jar" and "camStudio.jar" that I need merged. I decided to try to do this using batch with the code:
copy /b launcher.jar + camStudio.jar file.jar
However, the resulting "file.jar" only contains the contents of "camStudio.jar". How can I prevent the files in "launcher.jar" from being deleted?
Combining the contents of two .jar files is a little more complicated than just calling copy from the command line. Rather than a normal directory, .jar files are a type of compressed file, so you need special utilities to manipulate them. Fortunately these tools come with the standard JKD.
The JDK comes with the utility jar that is unsurprisingly used for manipulating .jar files. It's usage is described as this:
Usage: jar {ctxui}[vfmn0Me] [jar-file] [manifest-file] [entry-point] [-C dir] files ...
Options:
-c create new archive
-t list table of contents for archive
-x extract named (or all) files from archive
-u update existing archive
-v generate verbose output on standard output
-f specify archive file name
-m include manifest information from specified manifest file
-n perform Pack200 normalization after creating a new archive
-e specify application entry point for stand-alone application
bundled into an executable jar file
-0 store only; use no ZIP compression
-M do not create a manifest file for the entries
-i generate index information for the specified jar files
-C change to the specified directory and include the following file
If any file is a directory then it is processed recursively.
The manifest file name, the archive file name and the entry point name are
specified in the same order as the 'm', 'f' and 'e' flags.
Example 1: to archive two class files into an archive called classes.jar:
jar cvf classes.jar Foo.class Bar.class
Example 2: use an existing manifest file 'mymanifest' and archive all the
files in the foo/ directory into 'classes.jar':
jar cvfm classes.jar mymanifest -C foo/ .
Relevant commands for combining two .jar files are x and c. Even with this, combining the .jar files takes more than a line or two, so I put together this .bat files to automate it.
:: Pass one or more .jar files as command line arguments
:: Combine_Jar [file1] [file2 ...]
:: Combine_Jar Test.jar
:: Combine_Jar Test.jar Test2.jar Test3.jar
#echo off & setlocal enabledelayedexpansion
set "jarDir=%cd%"
set "newJar="
set "folders="
pushd %temp%
for %%a in (%*) do (
call :extract %%a
set "newJar=!newJar!_%%~na_"
)
set "tempDirs=!newJar:_=^"!"
set "tempDirs=%tempDirs:^"^"=^" ^"%"
set "newJar=!newJar:~1,-1!.jar"
set "newJar=!newJar:__=_!"
if exist "!newJar!" del /Q "!newJar!"
jar cf "!newJar!" %tempDirs%
for %%a in (%*) do call rd /s /q "%%~na"
move /Y "!newJar!" "%jarDir%" > nul
popd
exit /B
:extract
set "tempDir=%~n1"
if exist "%tempDir%" (
rd /s /q "%tempDir%"
)
md "%tempDir%"
pushd "%tempDir%"
jar xf "%jarDir%\%~1"
popd
exit /B
It will all jar files passed as arguments into a single jar files.
How do I compare two .jar files?
Both of them have compiled .class files.
I want the difference in terms of method changes, etc.
JAPICC, sample usage:
japi-compliance-checker OLD.jar NEW.jar
Sample reports for log4j: http://abi-laboratory.pro/java/tracker/timeline/log4j/
PkgDiff, sample usage:
pkgdiff OLD.jar NEW.jar
See sample report for args4j.
Clirr, sample usage:
java -jar clirr-core-0.6-uber.jar -o OLD.jar -n NEW.jar
If you select two files in IntellijIdea and press Ctrl + Dthen it will show you the diff. I use Ultimate and don't know if it will work with Community edition.
Rename .jar to .zip
Extract
Decompile class files with jad
Recursive diff
Extract each jar to it's own directory using the jar command with parameters xvf. i.e. jar xvf myjar.jar for each jar.
Then, use the UNIX command diff to compare the two directories. This will show the differences in the directories. You can use diff -r dir1 dir2 two recurse and show the differences in text files in each directory(.xml, .properties, etc).
This will also show if binary class files differ. To actually compare the class files you will have to decompile them as noted by others.
Create a folder and create another 2 folders inside it like old and new. add relevant jar files to the folders. then open the first folder using IntelliJ. after that click whatever 2 files do you want to compare and right-click and click compare archives.
I use to ZipDiff lib (have both Java and ant API).
Here is my script to do the process described by sje397:
#!/bin/sh
# Needed if running on Windows
FIND="/usr/bin/find"
DIFF="diff -r"
# Extract the jar (war or ear)
JAR_FILE1=$1
JAR_FILE2=$2
JAR_DIR=${PWD} # to assign to a variable
TEMP_DIR=$(mktemp -d)
echo "Extracting jars in $TEMP_DIR"
EXT_DIR1="${TEMP_DIR}/${JAR_FILE1%.*}"
EXT_DIR2="${TEMP_DIR}/${JAR_FILE2%.*}"
mkdir ${EXT_DIR1}
cd ${EXT_DIR1}
jar xf ${JAR_DIR}/${JAR_FILE1}
jad -d . -o -t2 -safe -space -b -ff -s java -r **/*.class
cd ..
mkdir ${EXT_DIR2}
cd ${EXT_DIR2}
jar xf ${JAR_DIR}/${JAR_FILE2}
jad -d . -o -t2 -safe -space -b -ff -s java -r **/*.class
cd ..
# remove class files so the diff is clean
${FIND} ${TEMP_DIR} -name '*.class' | xargs rm
# diff recursively
${DIFF} ${EXT_DIR1} ${EXT_DIR2}
I can run it on Windows using GIT for Windows. Just open a command prompt. Run bash and then execute the script from there.
Use Java Decompiler to turn the jar file into source code file, and then use WinMerge to perform comparison.
You should consult the copyright holder of the source code, to see whether it is OK to do so.
In Linux/CygWin a handy script I use at times is:
#Extract the jar (war or ear)
cd dir1
jar xvf jar-file1
for i in `ls *.class`
do
javap $i > ${i}.txt #list the functions/variables etc
done
cd dir2
jar xvf jar-file2
for i in `ls *.class`
do
javap $i > ${i}.txt #list the functions/variables etc
done
diff -r dir1 dir2 #diff recursively
If you are using IntelliJ IDEA or Android Studio, add your jar files to a project under the libs folder.
Then select the both jar files, right click then select "Compare Archives"
use java decompiler and decompile all the .class files and save all files as project structure .
then use meld diff viewer and compare as folders ..
Here's an aparently free tool http://www.extradata.com/products/jarc/
Please try http://www.osjava.org/jardiff/ - tool is old and the dependency list is large. From the docs, it looks like worth trying.
This application may be what you need, works great and display a simple GUI showing differences. Try Jarcomp
Hi i have been using an IDE but now I need to run and compile from the command line.
The problem is that I have multiple packages and I have tried to find the answer but nothing has worked.
So I have
src/
Support/ (.java files)
Me/ (.java files)
Wrapers/ (.java files)
Do you know how to compile everything with javac?
This should do it (may require additional classpath elements via the -cp command line switch):
javac Support/*.java Me/*.java Wrapers/*.java
But if your build process gets more complex (and it will!), you should look into using Apache Ant for build automation.
You should use build tools like Maven or Ant for such tasks.
In the initial stages, when the project is not very complex you can use the following line to compile, with appropriate classpath in place(as suggested by #Michael):
javac Support/*.java Me/*.java Wrapers/*.java
javac -d compiled $(find src -name *.java)
If you really need to just use javac and standard UNIX commands you could to this:
find src -name \*.java -print0 | xargs -0 javac -d classes
The real answer is javac -d (places where classes to be built and placed) -sourcepath (source of the package at the root) -cp (classpath of the dependencies which can again be classes folder where the classes are build and kept) full qualified name of the java file.
Ex javac -d classes -sourcepath src -cp classes src\com\test\FirstSample.java
The FirstSample.java contains the main method. Pacjage structure mentioned below.
Before compiling
HomeApp
--src
------com\test\FirstSample.java (First Sample using the FirstPojo.java)
------com\test\FirstPojo.java
--classes
After compiling
HomeApp
--src
------com\test\FirstSample.java (FirstSample.java using the FirstPojo.java)
------com\test\FirstPojo.java
--classes
------com\test\FirstSample.class (FirstSample.class using the FirstPojo.class)
------com\test\FirstPojo.class
In many cases Ant is overkill. Just use a BAT file if you are in windows or a shell script (sh file) if you are in linux. You can create a text file which includes all your javac commands and just run that file when you want to build.
For example, I use the following bat file to build one of my apps:
#echo off
echo Building Shazaam...
del classes\com\aepryus\shazaam\*.* /q
del classes\com\aepryus\shazaam\engine\*.* /q
del classes\com\aepryus\shazaam\domain\*.* /q
del classes\com\aepryus\shazaam\persist\*.* /q
del classes\com\aepryus\shazaam\view\*.* /q
del classes\com\aepryus\shazaam\task\*.* /q
del classes\com\aepryus\shazaam\action\*.* /q
del classes\com\aepryus\shazaam\controller\*.* /q
javac src\com\aepryus\shazaam\*.java -classpath \lib\AepUtil.jar;\lib\AepXML.jar;\lib\AepLoom.jar; -d classes
javac src\com\aepryus\shazaam\engine\*.java -classpath \lib\AepUtil.jar;\lib\AepXML.jar;\lib\AepLoom.jar;\lib\Sprout.jar;classes; -d classes
javac src\com\aepryus\shazaam\domain\*.java -classpath \lib\AepUtil.jar;\lib\AepLoom.jar;\lib\Sprout.jar;classes; -d classes
javac src\com\aepryus\shazaam\persist\*.java -classpath \lib\AepUtil.jar;\lib\AepLoom.jar;\lib\Sprout.jar;classes; -d classes
javac src\com\aepryus\shazaam\view\*.java -classpath \lib\Servlet.jar;\lib\AepUtil.jar;\lib\AepXML.jar;\lib\AepLoom.jar;\lib\AepHTML.jar;\lib\Sprout.jar;classes; -d classes
javac src\com\aepryus\shazaam\task\*.java -classpath \lib\AepUtil.jar;\lib\AepLoom.jar;\lib\AepHTML.jar;\lib\Sprout.jar;classes; -d classes
javac src\com\aepryus\shazaam\action\*.java -classpath \lib\Servlet.jar;\lib\AepUtil.jar;\lib\AepLoom.jar;\lib\AepHTML.jar;\lib\Sprout.jar;classes; -d classes
javac src\com\aepryus\shazaam\controller\*.java -classpath \lib\Servlet.jar;\lib\AepUtil.jar;\lib\AepXML.jar;\lib\AepRPC.jar;\lib\AepLoom.jar;\lib\AepHTML.jar;\lib\Sprout.jar;classes; -d classes
cd classes
jar cf ..\war\WEB-INF\lib\Shazaam.jar .
cd..
echo Complete
To compile Run below command [it will store all class files in classes folder]
javac -d classes Support/*.java Me/*.java Wrapers/*.java
**Note : classes folder should be created first
To Run java application, run below command
java -cp classes {mainfile_name}
Replace mainfile_name with your main file.